6369 introducing windows 8 1 for IT professionals technical overview

139 11 0
  • Loading ...
1/139 trang
Tải xuống

Thông tin tài liệu

Ngày đăng: 05/10/2018, 12:56

spine = 254” Get a head start evaluating Windows 8.1—with early technical insights from award-winning journalist and Windows expert Ed Bott This guide introduces new features and capabilities, providing a practical, high-level overview for IT professionals ready to begin deployment planning now Preview new features and enhanced capabilities, including: • The Windows 8.1 user experience • Deployment tools and technologies • Security features • Internet Explorer 11 • Delivering Windows Store apps • Recovery options • Networking and remote access • Virtualization • Windows RT 8.1 • Managing mobile devices Also see William R Stanek Author and Series Editor Pocket Consultant This title is also available as a free eBook from Microsoft at: http://aka.ms/mspressfree About the Author Ed Bott is an award-winning journalist known to millions of readers through two decades of writing for leading industry publications and more than 25 books on Microsoft Office and Windows, including Windows Inside Out and Microsoft Office Inside Out: 2013 Edition spine = 1.3” Microsoft Office: 2013 Edition Windows 8.1 Administration Storage, Security, & Networking William R Stanek Author and Series Editor ISBN: 978-0-7356-8427-0 For Intermediate and Advanced Users You’re beyond the basics, so dive right into Microsoft Office— and really put these productivity tools and services to work! This supremely organized reference packs hundreds of timesaving solutions, troubleshooting tips, and workarounds It’s all muscle and no fluff Discover how the experts tackle Office—and challenge yourself to new levels of mastery • • • • • • • • • Take advantage of Office in the cloud with Office 365 Get insider tweaks and tips to become more productive Sync your email, calendar, and contacts on multiple devices Organize and edit complex documents with Microsoft Word Enhance Microsoft PowerPoint presentations with rich media Handle data with the Microsoft Excel Quick Analysis tools Get organized with Microsoft OneNote using expert techniques Save, share, and sync documents and settings with SkyDrive Use Microsoft Access, Publisher, and Lync in smarter ways Pocket Consultant Windows 8.1 Administration Pocket Consultant Essentials & Configuration ISBN: 9780735682658 Storage, Security, & Networking ISBN: 9780735682610 Inside OUT Conquer Microsoft Office—from the inside out! About the Authors Ed Bott has written more than 25 books on Microsoft Office and Windows, including Windows Inside Out and Microsoft Office 2010 Inside Out He’s an award-winning journalist for leading industry publications Carl Siechert specializes in writing and producing product documentation for the personal computer industry He’s coauthored dozens of books, including Windows Inside Out and Microsoft Windows XP Networking and Security Inside Out Microsoft Office: 2013 Edition Windows 8.1 Administration Essentials & Configuration Note The ultimate, in-depth reference Hundreds of timesaving solutions Supremely organized, packed with expert advice Companion eBook Companion eBook Download using the instruction page in the back of the book Includes coverage of: • Office 365 Home Premium • Office 365 Small Business Premium • Office 365 ProPlus • Office Professional 2013 • Office Home and Business 2013 • Office Home and Student 2013 Inside OUT Bott Siechert microsoft.com/mspress U.S.A $54.99 Canada $57.99 [Recommended] Microsoft Office Inside OUT Microsoft Office: 2013 Edition Ed Bott Award-winning technology author and journalist | Carl Siechert Microsoft Office and Windows expert Microsoft Office Inside Out 2013 Edition ISBN: 9780735669062 Introducing Windows 8.1 for IT Professionals Introducing Windows 8.1 for IT Professionals Introducing Windows 8.1 for IT Professionals Technical Overview U.S.A $9.99 Canada $10.99 [Recommended] Operating Systems/Windows Celebrating 30 years! ED BOTT www.it-ebooks.info PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2013 Microsoft Corporation All rights reserved No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher Library of Congress Control Number: 2013949892 ISBN: 978-0-7356-8427-0 Microsoft Press books are available through booksellers and distributors worldwide If you need support related to this book, email Microsoft Press Book Support at mspinput@microsoft.com Please tell us what you think of this book at http://www.microsoft.com/learning/booksurvey Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/ Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies All other marks are property of their respective owners The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred This book expresses the author’s views and opinions The information contained in this book is provided without any express, statutory, or implied warranties Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book Acquisitions Editor: Anne Hamilton Developmental Editor: Valerie Woolley Project Editors: Valerie Woolley and Carol Dillingham Editorial Production: Christian Holdener, S4Carlisle Publishing Services Technical Reviewer: Randall Galloway Copyeditor: Roger LeBlanc www.it-ebooks.info Contents Introductionvii Chapter An overview of Windows 8.1 What is Windows 8.1? Support for new device types User experience User accounts and synchronization New apps What’s new for IT pros? Security enhancements Deployment and migration 10 Manageability 11 Virtualization 11 Under the hood 22 Windows 8.1 installation and upgrade options 13 Chapter The Windows 8.1 user e ­ xperience 15 Introducing the Windows 8.1 user experience 16 The Windows 8.1 desktop 19 Customizing the Start screen 22 Managing the user experience 24 What you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you To participate in a brief online survey, please visit: microsoft.com/learning/booksurvey iii www.it-ebooks.info Chapter Deploying Windows 8.1 27 Windows 8.1 editions at a glance 27 Assessing compatibility 29 Choosing a deployment strategy 31 Windows Assessment and Deployment Kit 33 Application Compatibility Toolkit (ACT) 34 Deployment and Imaging 34 Windows Preinstallation Environment 35 User State Migration Tool 35 Volume Activation Management Tool 37 Windows Performance Toolkit 37 Windows Assessment Toolkit 37 Windows Assessment Services 37 Microsoft Deployment Toolkit 38 Microsoft Deployment Toolkit 2013 38 System Center 2012 R2 Configuration Manager 39 Windows To Go 39 Who should use Windows To Go 40 Preparation and requirements 41 Management and security 42 Windows To Go workspace creation 44 Chapter Security in Windows 8.1 47 Assessing the threat landscape 48 New hardware, new security capabilities 48 Securing the boot process 49 Securing the sign-in process 51 Blocking malware 52 iv Windows Defender 53 Internet Explorer 11 53 SmartScreen and phishing protection 55 Contents www.it-ebooks.info Securing data 55 Pervasive device encryption 56 BitLocker Drive Encryption 56 Remote business data removal 57 Chapter Internet Explorer 11 59 The two faces of Internet Explorer in Windows 8.1 59 What’s new in Internet Explorer 62 Deploying and managing Internet Explorer 11 64 Dealing with compatibility issues 67 Chapter Delivering Windows Store apps 69 What is a Windows Store app? 70 How Windows Store apps work 71 Distributing a Windows Store app 74 Publishing an app to the Windows Store 74 Distributing apps within an enterprise 76 Managing Windows Store apps 79 Chapter Recovery options in ­Windows 8.1 85 Using Windows Recovery Environment 85 Customizing Windows Recovery Environment 90 Refresh and reset 91 Refresh Your PC 93 Reset Your PC 93 Microsoft Diagnostics and Recovery Toolset 94 Chapter Windows 8.1 and networks 97 What’s new in Windows 8.1 networking? 97 Mobile broadband support 98 Contents www.it-ebooks.info v Changes in the Wi-Fi user experience 98 Connecting to corporate networks 100 VPN client improvements 101 BranchCache 102 DirectAccess 102 IPv6 Internet support 103 Chapter Virtualization in Windows 8.1 105 Client Hyper-V 106 Desktop virtualization options 108 Application virtualization 111 User Experience Virtualization (UE-V) 113 Chapter 10 Windows RT 8.1 115 What Windows RT 8.1 can and can’t 116 Office 2013 RT 117 Connecting to corporate networks 119 Access to data 120 Chapter 11 Managing mobile devices 121 Mobile device management strategies 121 System Center 2012 R2 Configuration Manager 122 Windows Intune 124 Workplace Join 124 Work Folders 126 Web Application Proxy 130 Device lockdown (Assigned Access) 130 What you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can continually improve our books and learning resources for you To participate in a brief online survey, please visit: microsoft.com/learning/booksurvey vi Contents www.it-ebooks.info Introduction I t’s difficult to believe that Windows was introduced only a year ago, and yet today its successor, Windows 8.1, is ready for widespread adoption By ­Microsoft’s standards, that is warp speed And it is a tribute to the developers who designed and built Windows and 8.1 that they have been able to sustain that pace and deliver such a polished product The Windows product line represents a radical departure for Microsoft A new user experience A new app platform New security features and new management tools If you’re an IT pro, you have the daunting job of helping your users adapt to the newness of Windows 8.1 while you try to stay at least one step ahead Although I’ve written in-depth guides to Windows in the past, this book is not one of those Nor I pretend to offer much in the way of opinions or review Only you can decide whether and how and when to incorporate Windows 8.1 into your enterprise, based on your own organizational requirements My goal in this book is to help you on that upgrade path by presenting the facts and features about Windows 8.1 as clearly as I can If you’ve been living in an environment built around a previous version of Windows, you have a lot to absorb in the transition to Windows 8.1 I’ve tried to lay out those facts in as neutral a fashion as possible, starting with an overview of the operating system, explaining the many changes to the user experience, and diving deep into deployment and management tools where it’s necessary By design, this book focuses on things that are new, with a special emphasis on topics of interest to IT pros So you might find fewer tips and tricks about the new user experience than your users want but more about management, deployment, and security—which ultimately is what matters to the long-term well-being of the company you work for This book is just an introduction, an overview For more detailed information about the features and capabilities described in this book, I encourage you to ­become a regular visitor at the Springboard Series on TechNet: http://www microsoft.com/springboard Tell ‘em Ed sent you Acknowledgments I’d like to thank the many folks at Microsoft who contributed their in-depth knowledge of Windows technologies to this book: Craig Ashley, Roger ­Capriotti, Stella Chernyak, Adam Hall, Chris Hallum, Dustin Ingalls, Michael Niehaus, www.it-ebooks.info vii and Fred Pullen I’d also like to thank the good folks at Microsoft Press—Anne ­Hamilton, Martin DelRe, Carol Dillingham, and especially Valerie Woolley—for their efforts at making this project happen on very short notice About the author Ed Bott is an award-winning technology journalist and author who has been ­writing about Microsoft technologies for more than two decades He is the author of more than 25 books on Microsoft Windows and Office You can find his most recent writing at The Ed Bott Report at ZDNet: http://www.zdnet.com/blog/bott Errata & book support We’ve made every effort to ensure the accuracy of this book and its companion content Any errors that have been reported since this book was published are listed at: http://aka.ms/IntroW8pt1/errata If you find an error that is not already listed, you can report it to us through the same page If you need additional support, email Microsoft Press Book Support at ­mspinput@microsoft.com Please note that product support for Microsoft software is not offered through the addresses above We want to hear from you At Microsoft Press, your satisfaction is our top priority, and your feedback our most valuable asset Please tell us what you think of this book at: http://aka.ms/tellpress The survey is short, and we read every one of your comments and ideas Thanks in advance for your input! Stay in touch Let’s keep the conversation going! We’re on Twitter: http://twitter.com/ MicrosoftPress viii Introduction www.it-ebooks.info CHAPTER An overview of Windows 8.1 ■ What is Windows 8.1?  ■ What’s new for IT pros?  ■ Windows 8.1 installation and upgrade options  13 W indows 8.1, a free update to Windows and Windows RT, arrives almost exactly a year after Windows 8’s General Availability date The final version was released to Microsoft’s hardware partners in late August, ensuring that a new wave of hardware devices powered by Windows 8.1 would debut at the same time Historically, new versions of Windows have come out roughly every three years, with one or more service packs released in the interim to roll up security and reliability updates So what’s behind this sudden acceleration in the update process? Does the rapid-fire schedule and the incremental name change mean that Windows 8.1 is a minor update, equivalent to a service pack? Not at all Windows 8.1 is, by any objective measure, a major release It includes the historic changes that were introduced in Windows and adds a very long list of improvements, refinements, and new features, big and small—more than enough to fill this book This faster update cycle isn’t a one-time event—it’s the new normal for Windows, a reflection of the modern, fast pace of change in the technologies that define our lives There’s no guarantee that future versions of Windows will arrive at the same annual pace, but it’s certain that the every-three-years cycle of upgrades is history If you formed your initial opinions about Windows a year ago and haven’t been paying much attention lately, this release deserves your attention Microsoft says it listened to feedback about Windows 8, from a wide range of sources This update is an attempt to address the most important feedback items and move the platform forward In this chapter, I provide an overview of Windows 8.1 and its changes, with a special emphasis on features and capabilities of interest to IT pros www.it-ebooks.info What is Windows 8.1? If you have any hands-on experience with Windows 8, you’re already familiar with its ­basic underpinnings The biggest, most obvious changes in the initial release of Windows were a touch-enabled user experience designed for a new generation of mobile hardware and ­support for a new class of applications But the initial release of Windows included many changes under the hood as well, with significant gains in performance, reliability, ­security, and ­manageability over previous Windows versions In enterprise settings, the most important changes in Windows 8.1 involve features that might not be immediately obvious Significant enhancements in security, for example, are important enough to warrant their own chapter (Chapter 4, “Security in Windows 8.1“) You’ll also find improvements in management and virtualization features for client PCs, which are introduced in this overview and covered in more detail in later chapters To follow along with this book, I encourage you to get the Windows 8.1 Enterprise ­ valuation, which is available as a free download from the Microsoft TechNet Evaluation E Center (http://technet.microsoft.com/en-US/evalcenter/ ) The trial is good for 90 days, and it works on most modern hardware and in a virtual machine It’s the best way to get hands-on experience with the Windows 8.1 features and capabilities described in this book Support for new device types Windows 8.1 has the same device requirements as Windows and will run on most PC ­hardware that was originally designed for Windows Vista or Windows That makes it ­possible to evaluate Windows 8.1 on a device that isn’t currently in production use To see Windows 8.1 at its best, however, you really need to see it in action on a variety of devices, including modern hardware with touchscreens and processors and p ­ ower-management subsystems engineered specifically to work with Windows 8.1 Widespread support for ­InstantGo, the new name for a feature previously called Connected Standby, for example, is just beginning to ­appear in the first wave of hardware for Windows 8.1 The core design principles of Windows are a direct response to a defining trend in ­ odern technology: the movement to pervasive computing Users are no longer tied to a m desktop but instead can use multiple devices, choosing each device for its suitability to the task at hand With proper management controls, these devices can switch easily between personal files, digital media, and enterprise resources Combined with robust online services, the Windows design allows people to remain productive regardless of where they are Windows expanded the traditional definition of a Windows PC to include all sorts of ­mobile devices that are distinctly non-PC These new device types include tablets that work with touch and stylus input as well as hybrid designs that include detachable keyboards to allow a single device to shift quickly between tablet and notebook form factors Microsoft’s original Surface Pro (Figure 1-1), with its integrated kickstand and click-on keyboard, is an excellent example of the latter category 2 Chapter An overview of Windows 8.1 www.it-ebooks.info ■■ ■■ ■■ ■■ ■■ Do I need access to alternative web browsers?  Internet Explorer 11 is the only browser available in Windows RT 8.1 If you require the use of third-party browsers, you should choose a PC with an x86/x64 or Atom processor running Windows 8.1 Are web plugins essential to my business?  Internet Explorer 11 on Windows RT 8.1 does not support the installation of any third-party plugins, including password ­managers, video players, and runtime engines This is true even when using ­Internet Explorer on the desktop Adobe Flash support is built in to Internet Explorer 11 (both the desktop and immersive browser experiences), and updates are delivered ­automatically along with other Windows RT 8.1 updates Does my business rely on any Office add-ins?  As I explain later in this c­ hapter, ­Office 2013 RT is included with Windows RT 8.1 Although it’s capable of most tasks you expect from a modern version of Office, it lacks the capability to run many ­common add-ins and plugins It also lacks support for macros, which means any ­custom document templates based on macros will not work properly on a Windows RT 8.1 device Can my business-critical apps run in a WinRT or web-only environment?  If your business relies on a Windows desktop program to handle accounting, ­point-of-sale transactions, or custom line-of-business (LOB) activities, you need to find a ­replacement that runs on Windows RT 8.1 The only alternatives are WinRT apps (from the Windows Store or written in-house) or web apps that run acceptably in Internet Explorer 11 Is my network architecture compatible with Windows RT 8.1?  The feature list for Windows RT 8.1 includes support for some virtual private network (VPN) and mobile broadband clients, but you need to confirm support for the specific network features your business uses In addition, some features that are available on Windows 8.1 PCs are not available on Windows RT 8.1 devices: ■■ The Storage Spaces feature is not available ■■ The desktop Windows Media Player utility is unavailable ■■ Windows RT 8.1 devices cannot be joined to a domain The Local Group Policy Editor (Gpedit.msc) is available in Windows RT 8.1, but the Group Policy Client service must be enabled before local policies will be applied Windows PowerShell on Windows RT 8.1 also lacks some features found in x86 and x64 Windows 8.1 editions Scripting access to the Microsoft NET Framework, for example, is not supported, and the PowerShell Integrated Scripting Environment (ISE) found in other editions is not included in Windows RT 8.1 What Windows RT 8.1 can and can’t www.it-ebooks.info Chapter 10 117 Office 2013 RT Windows 8.1 includes Microsoft Office 2013 RT as a standard feature This unique edition of Office is compiled to run on ARM processors Although the user experience and feature set for individual programs are similar (and in many cases identical) to the corresponding Office editions built for x86 and x64 processors, it cannot be upgraded to other Office 2013 ­editions, including those that are part of Office 365 Office 2013 RT updates are delivered only through updates to Windows RT 8.1 These are touch-optimized, desktop versions of Microsoft Word, Excel, PowerPoint, ­ neNote, and Outlook Outlook was not included in the original release of Windows RT; if you O install the Windows RT 8.1 update on a device running the original release of Windows RT, the Office 2013 RT programs are updated, with Outlook added to the lineup Figure 10-1 shows the Backstage view in Office 2013 RT, with connections to SkyDrive and other online services FIGURE 10-1  Every copy of Windows RT 8.1 includes Office 2013 RT, with the five programs shown here It allows connections to online services but cannot be replaced with a different edition 118 Chapter 10 Windows RT 8.1 www.it-ebooks.info Two additional free Office apps are available from the Windows Store The OneNote and Lync apps provide a subset of the functionality in their desktop equivalents The Office 2013 RT license agreement is identical to the license for Office Home and Student 2013 Note that these programs are not licensed for commercial use, and they lack support for most add-ons (and all macros), which might limit their usefulness in some types of enterprise deployments It is possible to upgrade the usage rights for Office 2013 RT to permit commercial use This can be done when the Windows RT device is a companion device for the primary user of a device with one of the following Office licenses: ■■ ■■ ■■ Business editions of Office 365 include commercial use rights that extend to Office 2013 RT Qualifying editions include Office 365 ProPlus, Office Small Business Premium, Office 365 Midsize Business, and Office 365 Enterprise (E3/E4) Office Standard and Professional Plus 2013 include this offering as a secondary use right An enterprise with a Volume License agreement can purchase commercial-use rights for Office that enables a Windows RT device for use in business scenarios Connecting to corporate networks The ability to connect to wireless networks is a core feature of Windows RT 8.1 The original release of Windows RT did not support wired network adapters at all Windows RT 8.1 adds a built-in Ethernet adapter class driver for USB network adapters that have been specifically designed for InstantGo (Connected Standby) operation In addition, Windows RT 8.1 supports a variety of corporate networking features, ­described in this section The use of VPNs helps protect the integrity and security of corporate networks from ­ eing compromised over external networks whose security can’t always be guaranteed b The ­Windows RT 8.1 VPN client allows connections to Windows servers and can connect to ­third-party VPN servers using standard protocols: PPTP, L2TP, and IKEv2 The client can be configured directly or with scripts or a central device-management tool New in Windows RT 8.1 is built-in support for third-party clients from F5, Dell SonicWall, CheckPoint, and Juniper In addition, Windows RT 8.1 includes improved support for multifactor authentication, including through the use of virtual smartcards Finally, Windows RT 8.1 includes the same two Remote Desktop clients available in other Windows 8.1 editions: one for use on the desktop, and the other a WinRT app designed for the touch-friendly immersive interface Either of these clients can be used to access desktop and app sessions on a remote PC or a RemoteApp server Connecting to corporate networks www.it-ebooks.info Chapter 10 119 Access to data Windows RT 8.1 supports the same types of local storage as other Windows 8.1 editions, allowing you to access built-in hard drives and flash storage as well as devices connected through USB ports In addition, you can access the following types of remote data sources with the following limitations: SkyDrive  Windows RT 8.1 adds the capability to sync files and folders from SkyDrive to local storage (This capability was not available in the original release of Windows RT.) In ­addition, with an active Internet connection, you can access files from remote SkyDrive ­folders SkyDrive Pro  Some editions of Office 2013 include a SkyDrive Pro client utility that can sync files from a cloud-based SharePoint personal site document library and make them ­available for offline use on a local drive This capability is not included with Office 2013 RT and cannot be added As a result, SkyDrive Pro files are available from within Office programs or through Internet Explorer 11, only with an active Internet connection Network shares  Shared folders are available in File Explorer using standard Windows networking protocols Because Windows RT 8.1 doesn’t support domain-based credentials, you might need to specify an alternate user ID and password (or use a smartcard) to provide authenticated access Note that the client-side caching (CSC) functionality found in Windows 8.1 Pro and Enterprise—support for offline files and folder redirection—is not ­available in Windows RT 8.1 You can, however, use Work Folders, a technology discussed in more detail in Chapter 11 120 Chapter 10 Windows RT 8.1 www.it-ebooks.info CHAPTER 11 Managing mobile devices Mobile device management strategies  121 System Center 2012 R2 Configuration Manager  122 Windows Intune  124 Workplace Join  124 Work Folders  126 Web Application Proxy  130 Device lockdown (Assigned Access)  130 ■ ■ ■ ■ ■ ■ ■ A lthough it probably didn’t seem so at the time, network management used to be relatively simple Workers sat down at a desk, where they logged on to a ­company-issued PC and connected to company-owned resources on company-managed servers Today, that’s all changed In our new Bring Your Own Device (BYOD) world, workers expect to be able to their job from anywhere, using any device, with full access to their work resources and data That proliferation of devices makes many traditional management techniques ­impractical at best and often technically impossible Yet you still have the challenge of securing ­confidential data and maintaining compliance with regulations that affect your industry Fortunately, a new generation of standards-based management tools, from Microsoft and other companies, allow you to provide access to corporate apps and information while still maintaining effective control over those resources Mobile device management strategies For the wide range of devices in your organization, Microsoft offers two primary ­management tools: ■■ System Center Configuration Manager 2012 R2 adds support for Windows 8.1 It offers full management capabilities over traditional domain-joined Windows PCs, including those running Windows To Go and Windows Embedded It also works with Apple-branded devices running OS X 121 www.it-ebooks.info ■■ Windows Intune is a cloud-based service that can manage PCs running Windows 8.1 and Windows RT 8.1, as well as mobile devices running Windows Phone 8, iOS, and Android You don’t have the same control as with a fully managed, domain-joined PC, but you can effectively exercise light control over predictable scenarios The key to successfully integrating your workers’ personal PCs and tablets into a mobile device management strategy is a set of open standards that use the Open Mobile ­Alliance Device Management protocols—OMA-DM 1.2.1, to be specific These protocols allow ­communication with cloud-based management services using secure HTTP This management agent is available on most mobile devices, and it is included by default with all editions of Windows 8.1, including Windows RT 8.1, with no additional software required For company-owned and managed PCs, you can deploy the full Configuration ­Manager client For personal devices that employees bring in as part of a BYOD strategy, ­joining the domain as a fully managed device is either impractical or impossible—­personal devices running the Core edition of Windows 8.1 or Windows RT 8.1 lack domain-join ­capabilities In that case, you can use Windows Intune to perform light management ­capabilities Management tools that support OMA-DM—including Microsoft Windows Intune, ­MobileIron, and AirWatch—can perform a variety of useful tasks: ■■ Hardware and software inventory ■■ Configuration of key settings ■■ Installation and configuration of modern line-of-business (LOB) applications ■■ Certificate provisioning and deployment ■■ Data protection, including the ability to wipe a lost or stolen device Two additional features that are new in Windows 8.1 and Windows Server 2012 R2 can also be used as part of a BYOD strategy Workplace Join enables a personal device to be ­authenticated on the enterprise network and allowed to access corporate resources and ­applications Work Folders is a simplified file synchronization feature that personal devices running Windows 8.1 can use to securely store and access files from a corporate network This chapter looks at all of the preceding strategies System Center 2012 R2 Configuration Manager System Center 2012 R2 Configuration Manager is the most recent release of ­Microsoft’s ­comprehensive management tool for Windows systems (physical and virtual) and ­Windows-based mobile devices When used in combination with Windows Intune, it provides a unified management environment that supports both company-owned and personal BYOD devices Configuration Manager is a user-centric tool designed to work with your organization’s Active Directory infrastructure This means that it associates hardware assets with specific 122 Chapter 11 Managing mobile devices www.it-ebooks.info ­ sers, allowing fine-tuned management of exactly which software and features are ­available u to users Configuration Manager also provides IT pros with a comprehensive reporting ­platform and deployment options Using Configuration Manager, you can perform the following functions: ■■ ■■ ■■ ■■ ■■ ■■ ■■ Application management  A set of tools and resources allow you to package, ­manage, deploy, and monitor applications in the enterprise Endpoint protection  Security, antimalware, and Windows Firewall management features are included Compliance settings  Use built-in tools to assess and, if necessary, adjust the ­configuration of client devices to meet compliance requirements Company resource access  New in the System Center 2012 R2 release is a set of tools and resources you can use to grant remote access to resources by setting up ­Wi-Fi profiles, virtual private network (VPN) profiles, and certificate profiles For ­example, you can install trusted root CA certificates for your enterprise to authenticate Windows 8.1 and Windows RT 8.1 devices on corporate Wi-Fi hotspots and VPNs Remote connection profiles  Also new in the System Center 2012 R2 release are tools to help you create and deploy remote connection settings to devices, making it easier for users to connect to their computer on the corporate network Operating system deployment  You can create operating-system images and deploy them to computers that are managed by Configuration Manager, as well as to unmanaged computers, by using PXE boot or bootable media Inventory  As an administrator, you can collect detailed information about hardware, software, data files, and license usage on managed devices Configuration Manager also includes remote control tools for help desks and capabilities for deploying software updates One of the most important changes in System Center 2012 R2 Configuration Manager is the ability to configure enrolled devices as company-owned or personal-owned Personal devices are not domain-joined and not have the Configuration Manager client installed These mobile devices report software inventory only on company content Wipe and ­retire functions also provide the option to remove only company content from these devices, ­preserving personal content and apps You can use Windows Intune (described in the next section) to manage Windows 8.1 devices that are not joined to the domain and not have the Configuration Manager client installed MORE INFO  For a more detailed discussion of new features in this release, see “What’s New in System Center 2012 R2 Configuration Manager,” at http://technet.microsoft.com/ en-us/library/dn236351.aspx System Center 2012 R2 Configuration Manager www.it-ebooks.info Chapter 11 123 Windows Intune Windows Intune uses a unified web-based administration console to provide cloud-based device-management features, software-deployment capabilities, and security ­capabilities ­Because it is a cloud-based management tool, the console does not require a VPN ­connection to your local domain Windows Intune does not require any established ­infrastructure, ­although it works well in combination with Configuration Manager One of the signature features found in Windows Intune is its customizable company ­portal, which is also available with Configuration Manager 2012 R2 The company portal is an ­interface customized with downloadable applications that IT a ­ dministrators can make available for an organization The company portal also allows users to directly contact IT and request remote assistance Figure 11-1 shows a sample company portal FIGURE 11-1  The company portal is a customizable destination where administrators can make apps available for users on a self-service basis In addition to offering remote application and service features, the company portal feature allows an administrator to use a remote security wipe u ­ tility to clear data from the device the next time it connects to the Internet Workplace Join With Windows 8.1, a PC that is domain joined can access corporate resources (if allowed to so by administrator-assigned permissions), and IT can control the PC through Group Policy and other mechanisms Personal devices that aren’t joined to the domain have no such capabilities 124 Chapter 11 Managing mobile devices www.it-ebooks.info Windows 8.1, in combination with Windows Server 2012 R2, adds a new feature called ­ orkplace Join, which provides a middle ground between this all-or-nothing access scenario W With Workplace Join, users can register personal devices on the corporate network using Active Directory, without joining the domain On the server side, administrators can create rules that allow a user to access corporate resources only when they sign in on a device that has been ­registered via Workplace Join (and is therefore trusted) This security feature offers a ­ dministrators the ability to control access to corporate resources without requiring sign-on with an Active Directory account or applying group policy Workplace Join is currently available for all Windows 8.1 editions as well as iOS devices Here’s how it works with Windows 8.1 On the server side, there are three requirements: ■■ ■■ ■■ The Windows Server 2012 R2 version of Active Directory Federation Services (ADFS) must be installed Two custom DNS entries are required One is automatically created by ADFS; the second resolves to enterpriseregistration.yourdomain (where yourdomain is your ­enterprise domain) The DNS record must be accessible internally and can optionally be available in external DNS A Secure Sockets Layer (SSL) certificate must resolve correctly to the ADFS and ­enterpriseregistration DNS records Once this infrastructure is set up, a Windows 8.1 client registers on the network using the Workplace Join option under Network, in PC Settings, as shown in Figure 11-2 FIGURE 11-2  To register a device on the network, enter your email address as it’s shown in Active ­Directory and then click Join in this PC Settings page Assuming the administrator has set up multifactor authentication (a highly recommended configuration), the user next sees a response from the server, as shown in Figure 11-3 Workplace Join www.it-ebooks.info Chapter 11 125 FIGURE 11-3  The recommended configuration for Workplace Join includes multifactor authentication Successfully completing the WorkPlace Join process installs a certificate in the local user account on the device and links it to Active Directory That certificate acts as a “thumbprint” for the device, allowing domain members to sign in to corporate resources (For auditing ­purposes, ADFS records details of the domain account that performed the registration, but any domain member is eligible to use the registered device.) Workplace Join offers a solution to a common BYOD problem: some devices cannot be ­domain joined, either because one device is a personal device or because the device is ­running an operating system that doesn’t support domain join Work Folders Work Folders is another new feature supported by default on Windows 8.1 devices that ­connect to Windows Server 2012 R2 With Work Folders enabled, a user can securely sync data to her device from a user folder located in the corporate data center, allowing the user to work with it offline Files created or modified in the local copy of the folder sync back to the file server in the corporate environment You can set up Work Folders on a multitude of devices running Windows 8.1, iOS, or another supported platform If you store all your ­personal work files in the Work Folders location (with as many subfolders as you want to ­create), they’ll roam with you to all your devices 126 Chapter 11 Managing mobile devices www.it-ebooks.info If this feature sounds familiar, that’s because it is, at least at a low level This is a new ­ eneration of the client-side caching (CSC) technology that has been part of Windows g ­networks for many years, powering folder redirection and Offline Folders The difference is that Offline Folders requires that a device be joined to the domain That excludes any ­personal devices running consumer versions of Windows It also doesn’t work with tablets running operating systems other than Windows Windows 8.1 devices not need to be domain joined for synchronization with personal files Your domain credentials unlock access to Work Folders As a result, you can use Work Folders on a device running Windows RT 8.1 and still maintain secure offline access to files On the server side, you enable Work Folders by installing the feature as part of the ­ indows Server 2012 R2 File Services role Doing so installs a new panel where you can W ­define a server file location to be synced with a specific user and then either create a DNS entry or publish a custom URL to reach the shared files Setting up Work Folders also enables Individual Rights Management (IRM) and Dynamic Access Control (DAC) for files in the shared location Using these capabilities, administrators can designate specific documents as company resources, which can then be managed to prevent unauthorized access from the local device On the client side, syncing is natively integrated into the file system To connect to Work Folders, you start in the desktop Control Panel\System And Security\ by clicking the Set Up Work Folders option shown in Figure 11-4 FIGURE 11-4  The Work Folders capability is built into the desktop Control Panel in all editions of ­Windows 8.1 That, in turn, leads to a dialog box where you enter either your email address or the URL that the administrator established In either case, when you click Next you will be prompted to enter your domain credentials to establish the connection, as shown in Figure 11-5 After you successfully authenticate, the next step of the setup process (shown in Figure 11-6) notifies you that administrators can apply security policies to data files in the Work Folders share, including the right to remotely delete them Some device capabilities such as encryption and a password-protected screen lock might be required Work Folders www.it-ebooks.info Chapter 11 127 FIGURE 11-5  Connecting to the Work Folders share requires that you enter an email address or a custom URL and then authenticate using your domain credentials FIGURE 11-6  The final step in setting up Work Folders on a Windows 8.1 device contains a notification about security policies that must be accepted before the feature is enabled 128 Chapter 11 Managing mobile devices www.it-ebooks.info The Work Folders feature is similar in concept to other Microsoft file-related features—specifically, SkyDrive and SkyDrive Pro What makes it different? SkyDrive is a consumer service intended for storage of personal files It’s connected to a Microsoft account and can’t be centrally managed or backed up That makes it unsuitable for enterprise data SkyDrive Pro provides access to SharePoint resources and is designed primarily for data collaboration in teams, with strong workflow-related features It can be securely managed, but its extensive feature set means it’s unnecessarily complex for simple file storage and ­synchronization between devices Work Folders doesn’t have any file-sharing features, but it’s incredibly easy to use This f­ eature can optionally be set up outside the firewall, a configuration that allows access without requiring a VPN connection The administrator can require that Workplace Join be enabled, preventing a potential attacker (or a careless ­employee) from accessing files ­using untrusted devices On Windows 8.1 and Windows RT 8.1, it doesn’t require the ­installation of a sync utility—it just works A Control Panel app, shown in Figure 11-7, lets you view usage statistics and provides some simple management tools ­Beyond that, no additional ­configuration is necessary FIGURE 11-7  This simplified management interface lets you view the status of your synced Work Folders and manually sync files, view any file errors, and stop using Work Folders on the current device Work Folders www.it-ebooks.info Chapter 11 129 Web Application Proxy The Web Application Proxy is a new role service in the Windows Server Remote Access role It provides the ability to publish access to corporate resources and enforce multifactor ­authentication, as well as apply conditional access policies to verify both the user’s identity and the device he is using On mobile devices, this feature can be used to improve the user experience of Workplace Join By connecting an ADFS server to the Web Application Proxy, users can connect to resources with multifactor authentication enforced, as well as receiving verification that the device being used for access is registered (and therefore trusted) Device lockdown (Assigned Access) This feature is new in Windows 8.1 (Pro and Enterprise editions only) and in Windows RT 8.1 Using the Assigned Access feature allows the device to run a single Windows Store app while restricting access to all other apps and features (including web browsers, email, games, and other potential sources of confusion or distraction) That’s a useful feature in kiosk ­applications, where you want customers to be able to view product or service information in a controlled environment It’s also ideal in classrooms (for a test-taking application, for ­example) and for point-of-sale, check-in, and other line-of-business apps that management might want to use exclusively on a device 130 Chapter 11 Managing mobile devices www.it-ebooks.info Now that you’ve read the book Tell us what you think! Was it useful? Did it teach you what you wanted to learn? Was there room for improvement? Let us know at http://aka.ms/tellpress Your feedback goes directly to the staff at Microsoft Press, and we read every one of your responses Thanks in advance! www.it-ebooks.info ... 11 1 User Experience Virtualization (UE-V) 11 3 Chapter 10 Windows RT 8. 1 115 What Windows RT 8. 1 can and can’t 11 6 Office 2 013 RT... mouse What is Windows 8. 1? www .it- ebooks.info Chapter FIGURE 1- 2  The Acer Iconia W3 - 81 0, with its 8. 1- inch screen, was the first commercially available device designed for Windows 8. 1 Regardless... recommendations as those for Windows (and for that matter, Windows 7) Table 1- 1 and the following text list the hardware recommendations for Windows 8. 1 Table 1- 1  Windows 8. 1 hardware recommendations
- Xem thêm -

Xem thêm: 6369 introducing windows 8 1 for IT professionals technical overview , 6369 introducing windows 8 1 for IT professionals technical overview , CHAPTER 1: An overview of Windows 8.1, CHAPTER 2: The Windows 8.1 user experience, CHAPTER 4: Security in Windows 8.1, CHAPTER 7: Recovery options in Windows 8.1, What’s new in Windows 8.1 networking?, CHAPTER 9: Virtualization in Windows 8.1

Mục lục

Xem thêm

Gợi ý tài liệu liên quan cho bạn

Nhận lời giải ngay chưa đến 10 phút Đăng bài tập ngay